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5 TITLE OF THE INVENTION 

DISTRIBUTED SYSTEM AUTHENTICATION 

CROSS REFERENCE TO RELATED APPLICATIONS 

N/A 

10 

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR 

DEVELOPMENT 

' N/A 

15 BACKGROUND OF THE INVENTION 

The present invention relates to systems and techniques 
for authenticating users submitting requests from client 
computers for services/resources provided by server 
computers executing distributed applications . 

20 In a typical computer network configuration, client 

computers interconnected by the computer network transmit 
user requests to access services/resources provided by 
server computers connected to the network. Such server 
computers typically include data processing agents, which 

25 execute applications for processing the user requests and 
providing the requested services/resources to the client 
computers. These applications may be executed on a single 
data processing agent to provide at least one 
service/resource to the client computers. Alternatively, 

30 these applications may be distributed such that portions of 
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the distributed application are executed on respective data 
processing agents included in the server computer. As a 
result, each respective data processing agent may be used 
for providing specific services/resources to the client 
5 computers . 

One drawback of server computers, whether they execute 
distributed or non-distributed applications, is that they 
typically have no knowledge about the user's right to access 
requested services/resources. This can be problematic 

10 because applications executing on server computers often 
provide different services/resources depending upon the 
user's level of access privileges - 

For example, a user of a client computer with a 
particular level of access privileges may or may not have 

15 access to, e.g., specific files, directories, databases, web 
pages, and/or other computer services/resources provided by 
the application. It is therefore desirable to authenticate 
users submitting requests from client computers to ensure 
that they have the requisite levels of access privileges for 

20 accessing the requested files, directories, databases, web 
pages, and/or other computer services/resources. In this 
way, unauthorized users can be prevented from accessing 
restricted services/resources on the computer network, and 
the security of the computer network can be maintained. 

25 One technique for authenticating users includes 

receiving a user request from a client computer at a server 
computer for a service/resource provided by an application 
resident on the server computer; and, in response to that 
request, transmitting a message from the server computer to 

30 the client computer informing the client computer of what it 
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must do to authenticate the user. For example, that message 
might inform the client computer that in order to 
authenticate the user it must provide a valid 
USERNAME/PASSWORD combination. In response to that message, 
5 the user enters the required USERNAME/PASSWORD combination 
at the client computer. Another user request is then 
received at the server computer from the client computer 
including the entered USERNAME/PASSWORD combination. In 
response to that request, the USERNAME is located in, e.g., 

10 a stored access control list; the PASSWORD corresponding to 
the USERNAME is verified; and, if the USERNAME/PASSWORD 
combination is found valid, a stored level of access 
privileges is retrieved for that user. Finally, the 
application executing on the server computer provides the 

15 user of the client computer with the requested 
services/resources according to that user' s level of access 
privileges . 

The above-described technique of authenticating users 
can be implemented on a server computer with a single data 

20 processing agent executing a non-distributed application 
that requires knowledge of the user' s access . privilege 
level. However, this technique has drawbacks when 

implemented on a server computer with a plurality of data 
processing agents executing a distributed application 

25 because it has no mechanism for providing the user's access 
privilege level to the application executing on the 
plurality of agents. 

It would therefore be desirable to have a system and 
technique for authenticating users submitting requests from 

30 client computers to a server computer executing a 
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distributed application. It would also be desirable to have 
such systems and techniques for authenticating users that 
minimize the overall time required for performing user 
authentication. 

5 

BRIEF SUMMARY OF THE INVENTION 
In accordance with the present invention, a method and 
apparatus are disclosed for authenticating a user submitting 
a service request from a client computer to a server 

10 computer executing a distributed application on a plurality 
of data processing agents. Such user authentication is 
accomplished by providing a centralized mechanism that all 
data processing agents of the server can utilize to 
authenticate a potential user. 

15 In one embodiment, a first data processing agent 

included in the server receives a service request from a 
potential user, and submits an authentication request to a 
second data processing agent included in the server to 
authenticate the user. The second data processing agent 

20 attempts to authenticate the user, and transmits a message 
to the first data processing agent including information 
indicative of whether the user is successfully 
authenticated. If the user is successfully authenticated, 
then the first data processing agent shares that information 

25 with the distributed application executing thereon, which 
provides the requested service to the user. In the 
foregoing manner, the second data processing agent serves as 
the centralized mechanism that the first data processing 
agent and all of the remaining data processing agents 
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included in the server can utilize to authenticate potential 
users . 

In a second embodiment, the first data processing agent 
included in the server receives a first service request from 
5 the user, and submits an authentication request to the 
second data processing agent to authenticate the user. The 
second data processing agent attempts to authenticate the 
user; and, if the user is successfully authenticated, stores 
a time-out value indicative of a predetermined time period 
10 for that user. Next, the second data processing agent 
p determines whether the predetermined time period is exceeded 

^ starting from a time of receipt of the first request. In 

ffl the event that the predetermined time period is exceeded 

in 

%j without receiving a second service request from the user, 

;j! 15 the server requires the user to be re-authenticated at the 

=3 second data processing agent upon receipt of the second 

i.^ service request. In the foregoing manner, the second data 

O processing agent restricts the amount of time that the user 

In H 

Q can remain idle before the server requires re-authentication 

20 of that user. 

In a third embodiment, the first data processing agent 
receives a service request from the user, and submits an 
authentication request to the second data processing agent 
to authenticate the user. Next, the second data processing 

25 agent attempts to authenticate the user. In the event that 
the user is successfully authenticated, the second data 
processing agent transmits valid user authentication 
.information to the first data processing agent, which 
locally stores that information. Next, the first data 

30 processing agent receives another service request from the 
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user, and attempts to authenticate the user using the stored 
user authentication information. If the user is 

successfully authenticated, then the first data processing 
agent shares that information with the distributed 
5 application executing thereon, which provides the requested 
service to the user. In the foregoing manner, the first 
data processing agent can authenticate the user without 
having to submit an authentication request to the second 
data processing agent. 

10 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS 
The invention will be more fully understood by 
reference to the following Detailed Description of the 
Invention in conjunction with the Drawing of which: 
15 Fig. 1 is a block diagram illustrating a computer 

network operative in a manner according to the present 
invention; 

Fig. 2 is a block diagram illustrating a representative 
server computer connected to the computer network depicted 
20 in Fig. 1, operative in a manner according to the present 
inventions- 
Fig. 3 is a flow diagram illustrating a method of the 
representative server computer depicted in Fig. 2 for 
authenticating users, operative in a manner according to the 
25 present invention; and 

Fig. 4 is a flow diagram illustrating a method of the 
representative server computer depicted in Fig. 2 for 
restricting the amount of time that a valid user can remain 
idle, operative in a manner according to the present 
30 invention. 
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DETAILED DESCRIPTION OF THE INVENTION 
Fig. 1 depicts an illustrative embodiment of a computer 
network 100 that is operative in a manner in accordance with 
5 the present invention- Specifically, the computer network 
100 includes a plurality of client computers (^^ clients") 
such as clients 102, 104, and 106, and at least one server 
computer (^^ server") such as server 108. Further, the 
clients 102, 104, and 106, and the server 108 are 
10 operatively connected to a network 110, which may comprise a 
Local Area Network (LAN) , a Wide Area Network (WAN) , the 
'fl Internet, or any other network suitable for linking clients 

and servers to allow communications therebetween. 

Each of the clients 102, 104, and 106, and the server 
15 108, includes a network adapter (not shown) for enabling 
communications over the network 110. In addition, each 
client 102, 104, and 106 includes at least one memory (not 
O shown) such as a ROM or RAM, and at least one processor (not 

[pS shown) operative for executing programs stored in the 

O 20 memory, including applications for processing user inputs, 

initiating and/or controlling connections to the network 
110, and submitting requests for services/resources to the 
server 108. 

For example, users (not shown) of the clients 102, 104, 
25 and 106 may submit requests to the server 108 for accessing 
selected files, directories, databases, web pages, and/or 
other computer services/resources. Those of ordinary skill 
in this art will recognize that the term users" may refer 
not only to human operators, but also to processes executing 
30 on the clients 102, 104, and 106. 
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Fig. 2 depicts a block diagram of an exemplary server 
108 su^sh as depicted in Fig. 1. The server 108 includes a 
manager a^s^nt 202 operatively connected to a plurality of 
service agents>\such as service agents 204, 206, and 208, 
5 via a buss 232. E>s:h agent 202, 204, 206, and 208 includes 
at least one memory (nobs^hown) such as a ROM or R7^, and at 
least one processor (not^sh^owri) operative for executing 
programs stored in the memory/\including applications for 
initiating and/or controlling connSs^ions to the network 
10 110, processing requests for services/re&ources submitted by 
the clients 102, 104, and 106, and pro^^i^ing requested 
services/resources to the clients 102, 104, andNL06. 

In this illustrative embodiment, the manager agent 202 
and the service agents 204, 206, and 208 are capable of 
15 executing distributed applications. For example, the users 
of the clients 102, 104, and 106 may submit requests to the 
server 108 for accessing services/resources provided by a 
distributed application executing on the plurality of agents 
202, 204, 206, and 208. Further, each agent 202, 204, 206, 
20 and 208 executing the distributed application may provide 
specific services/resources to the clients 102, 104, and 106 
based on the requests submitted by the users. 

It should be noted that the specific services/resources 
provided by way of the agents 202, 204, 206, and 208 to the 
25 clients 102, 104, and 106 are dependent upon each user's 
level of access privileges, which is determined at the 
server 108 through the execution of a user authentication 
program- Because each agent 202, 204, 206, and 208 
executing the distributed application provides specific 
30 services/resources to the users, each agent 202, 204, 206, 
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and 208 uses at least a portion of its processing and 
storage resources for performing tasks related to user 
authentication. 

Specifically, each agent 202, 204, 206, and 208 
5 includes an authentication client operatively connected to a 
writable, local storage media such as a RAM. For example, 
the manager agent 202 includes an authentication client 214 
connected to a local storage media 224, the service agent 
204 includes an authentication client 216 connected to a 
10 local storage media 226, the service agent 206 includes an 

Q authentication client 218 connected to a local storage media 

228, and the service agent 208 includes an authentication 

m client 220 connected to a local storage media 230. The 

manager agent 202 further includes an authentication server 

4=^ 15 212 connected to a writable, local storage media 223 such as 

:s a RAM; and, a writable, main storage media 222 such as a 

±! non-volatile RAM. 

Ill I 

O In the illustrative embodiment, upon receipt of a user 

5=i request for a specific service/resource provided by a 

^ 20 distributed application executing on one or more of the 

agents 202, 204, 206, and 208, the authentication client for 
a respective agent attempts to authenticate the user by 
accessing user data stored in the local storage media 
connected thereto. If the authentication client 

25 successfully locates authentication information for the user 
in the local storage media, but that information does not 
match corresponding authentication information attached to 
the user request, then the authentication client transmits a 
message to the user informing him or her that access to the 
30 requested service/resource is denied. Alternatively, if the 
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authentication client cannot locate. authentication 
information for the user in the local storage media, then 
the authentication client submits a request to the 
authentication server 212 to authenticate the user. 
5 In response to that request, the authentication server 

212 attempts to authenticate the user by accessing user data 
stored in the local storage media 223 connected thereto. If 
the authentication server successfully locates 
authentication information for the user in the local storage 

10 media 223, but that information does not match the 
corresponding authentication information attached to the 
user request, then the authentication server transmits a 
message to the user informing him or her that access to the 
requested service/resource is denied. Alternatively, if the 

15 authentication server cannot locate authentication 
information for the user in the local storage media 223, 
then the authentication server 212 attempts to authenticate 
the user by accessing user data stored in the main storage 
media 222 connected thereto. If the authentication server 

20 212 is incapable of successfully authenticating the user by 
■accessing the user data stored in the main storage media 
222, then the authentication server 212 may transit a 
message to the user informing him or her that access to the 
requested service/resource is denied- Alternatively, the 

25 authentication server 212 may transmit a message to the user 
prompting him or her to log-in" by entering valid user 
authentication information. Upon receipt of that 

information, the authentication server 212 attempts to 
authenticate the user by comparing the entered user 

30 authentication information with user data stored in the main 



ATTORNEY DOCKET NO. SYNER-ISIXX 
WEINGARTEN, SCHURGIN, 
GAGNEBIN & HAYES, LLP 
TEL, (617) 542-2290 
FAX, (617) 451-0313 



-11- 



storage media 222. 



If the entered user authentication 



5 



10 

. *==: 



20 



25 



30 



information matches corresponding user data stored in the 
main storage media 222, then access to the requested 
service/resource is permitted; otherwise, access is denied. 

The illustrative embodiment disclosed herein will be 
better understood with reference to the following example, 
wherein a user, i.e., a human operator (not shown), of the 
client 102 wishes to obtain access to a specific 
service/resource provided by a distributed application 
executing on the agents 202, 204, 206, and 208 of the server 
108 (see Fig. 1) . 

Accordingly, the client 102 transmits a message to the 
server 108 including a request to access the specific 
service/resource, which is provided by the distributed 
application executing on one of the agents 202, 204, 206, 
and 208; for example, the service agent 204. It should be 
understood that the manner in which the client 102 and the 
server 108 transmit and receive messages is conventional. 

In this illustrative example, it is assumed that the 
above-mentioned request for services/resources transmitted 
by the client 102 is the first request of a session, and the 
first request does not include information for 
authenticating the user of the client 102. Accordingly, in 
response to that first request, the server 108 transmits a 
-message to the client 102 that includes information about 
what the client 102 must do to authenticate the user. 

Specifically, that message informs the client 102 that 
it must provide the authentication server 212 with valid 
authentication information for the user, e.g., a valid 
USERNAME/PASSWORD combination. The client 102 therefore 
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prompts the user to enter the required USERNAME/PASSWORD 
combination. For example, the client 102 may prompt the 
user by way of a user interface (not shown) , which includes 
a display monitor, and a keyboard and/or a screen-cursor 
manipulator such as a mouse. 

After the user enters the requested USERNAME/ PASSWORD 
combination via the user interface, the client 102 transmits 
another request for services/resources to the server 108 
alonq with the entered USERNAME/ PASSWORD. In response to 
that request/ the authentication server 212 verifies the 
entered USERNAME /PAS SWORD combination against user data 
stored in the main storage media 222 included in the manager 
agent 202, 

In this illustrative example, the main storage media 
222 includes user data corresponding to a list- of 
^'permissible" users; i.e., users that would be permitted 
access to the services/resources provided by the distributed 
application executing on the server 108 upon verification of 
a valid USERNAME /PAS SWORD combination. For example, user 
data corresponding to the permissible users may be arranged 
in the main storage media 222 as a MAIN USER LOGIN TABLE, 
including the USERNAME for each permissible user and 
corresponding PASSWORD and ACCESS LEVEL for that user. 
Further, the ACCESS LEVEL may be indicated by, e.g., a 
numerical value within a specified range of numerical 
values, with each numerical value indicating a different 
level of access privileges for the user and optionally 
including the default value, ACCESS DENIED, indicating that 
access to the requested service/resource is denied. 

ATTORNEY DOCKET NO. SYNER-161XX 
WEINGARTEN, SCHURGIN, 
GAGNEBIN 6 HAYES, LLP 
TEL. (617) 542-2290 
FAX. (617) 451-03X3 



-13- 



If the authentication server 212 (1) locates the 
entered USERNAME in the MAIN USER LOGIN TABLE, and (2) 
determines that the entered PASSWORD matches the 
corresponding PASSWORD in the ^4AIN USER LOGIN TABLE, then 
5 the entered USERNAME/ PAS SWORD combination is verified and 
the user of the client 102 is successfully authenticated. 
As a result, the authentication server 212 retrieves the 
ACCESS LEVEL for that user from the MAIN USER LOGIN TABLE 
stored in the main storage media 222; stores the USERNAME, 

10 PASSWORD, and ACCESS LEVEL information in the local storage 
media 223; and, transmits the USERNAME, PASSWORD, and ACCESS 
LEVEL information to the authentication client requesting 
authentication of the user (e.g., the authentication client 
216) for storage in the local storage media operatively 

15 connected thereto (e.g., the local storage media 226). 

In this illustrative example, each local storage media 
223, 224, 226, 228, and 230 includes user data related to a 
list of active" users; i.e., users that have been 
successfully verified against the user data stored in the 

20 main storage media 222, For example, the user data 
corresponding to the active users may be arranged in each 
local storage media 223, 224, 226, 228, and 230 as a LOCAL 
USER LOGIN TABLE, including the USERNAME for each active 
user and the corresponding PASSWORD and ACCESS LEVEL for 

25 that user. 

The authentication server 212 also retrieves a SYSTEM 
TIMEOUT VALUE from the main storage media 222 along with the 
ACCESS LEVEL information, and transmits the SYSTEM TIMEOUT 
VALUE with the USERNAME, PASSWORD, and ACCESS LEVEL 

30 information to the authentication client requesting 
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authentication of the user {e.g., the authentication client 
216) for storage in its respective LOCAL USER LOGIN TABLE as 
a LOGIN TIMEOUT VALUE for the authenticated user. The LOGIN 
TIMEOUT VALUE indicates the maximum allowable amount of time 
5 between successive user '''activities", which include user 
requests submitted from the client 102 for 
services/resources provided by the distributed application 
executing on the server 108. For example, if the time 
between successive user activities exceeds the LOGIN TIMEOUT 

10 VALUE for that user, then the user must be re-authenticated 
by the authentication server 212 before being permitted 
access to the requested services/resources. 

In this illustrative example, the user may re-configure 
his or her corresponding LOGIN TIMEOUT VALUE via a user 

15 interface of the server 108. For example, the SYSTEM 
TIMEOUT VALUE may be equal to 30 minutes; and, the user may 
re-configure the corresponding LOGIN TIMEOUT VALUE to equal 
any integral value ranging from 0 to 30 minutes, wherein a 
LOGIN TIMEOUT VALUE of 0 minutes indicates that the user is 

20 not subject to any time constraints between successive user 
activities and is therefore logged-in indefinitely. 

If the user re-configures his or her corresponding 
LOGIN TIMEOUT VALUE, then the authentication server 212 
transmits the new LOGIN TIMEOUT VALUE to each authentication 

25 client 214, 216, 218, and 220. If the user is active on any 
of the agents 202, 204, 206, and 208, then the 
authentication client for each of those agents replaces the 
user' s LOGIN TIMEOUT VALUE stored in its respective LOCAL 
USER LOGIN TABLE with the new value. 
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In a preferred embodiment, the LOGIN TIMEOUT VALUES for 
active users are arranged in the local storage media 223 as 
a SESSION TIMEOUT TABLE, including the USERNAME for each 
active user and the corresponding LOGIN TIMEOUT VALUE for 
5 that user. Specifically, the SESSION TIMEOUT TABLE tracks 
LOGIN TIMEOUT VALUES for all active users of clients 
requesting services/resources provided by the distributed 
application executing on the agents 202, 204, 206, and 208 
of the server 108. 

10 After the authentication server 212 transmits the 

USERNAME, PASSWORD, ACCESS LEVEL, and SYSTEM TIMEOUT VALUE 
for the authenticated user to the authentication clients 
214, 216, 218, and 220 for storage in the LOCAL USER LOGIN 
TABLES of the local storage media 224, 226, 228, and 230, 

15 respectively, the authentication server 212 provides the 
authenticated user's ACCESS LEVEL to the distributed 
application, which provides the requested service/resource 
to the user of the client 102 according to the ACCESS LEVEL 
of that user. 

20 It should be noted that if the authentication server 

212 fails to locate the entered USERNAME in the MAIN USER 
LOGIN TABLE, then that USERNAME does not correspond to a 
permissible user, and that user therefore cannot be 
successfully authenticated. As a result, the authentication 

25 server 212 transmits a message to the client 102 indicating 
that access to the requested service/resources is denied. 

The illustrative embodiment disclosed herein can be 
used with distributed applications that require ^"per-form" 
authentication. "Per-form" authentication pertains to an 

30 authentication technique that requires verification of user 
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10 

^ I 

15 

6 20 
25 
30 



authentication information for each form or document 



information is stored locally in each of the agents 202, 
204, 206, and 208, verification of user authentication 
information per-form may be achieved by locating that 
information in the LOCAL USER LOGIN TABLES of the local 
storage media 224, 226, 228, and 230, instead of submitting 
a request to the authentication server 212 to authenticate 
the user by locating that information in either the LOCAL 
USER LOGIN TABLE of the local storage media 223 or the MAIN 
USER LOGIN TABLE of the main storage media -222. 

In this illustrative example, the user submits a second 
request for services/resources provided by the distributed 
application executing on the service agent 204, Because 
that second request is submitted after the authentication 
server 212 has already successfully authenticated the user, 
the client 102 automatically attaches the user's 
authentication information, i.e., the valid 

USERNAME/PASSWORD combination, to the request. 

In response to that request, the authentication client 
216 included in the service agent 204 attempts to 
authenticate the user by verifying the USERNAME/PASSWORD 
combination attached to the request against the user data 
stored in the local storage media 226 included in the 
service agent 204. If the authentication client 216 (1) 
locates the attached USERNAME in the LOCAL USER LOGIN TABLE 
of the local storage media 226, and (2) determines that the 
attached PASSWORD matches the corresponding PASSWORD in the 
LOCAL USER LOGIN TABLE, then the attached USERNAME/PASSWORD 
combination is verified and the user is successfully 
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authenticated. Accordingly, the authentication client 216 
provides the authenticated user's ACCESS LEVEL to the 
distributed application, which provides the requested 
service/resource to the user according to the ACCESS LEVEL 
5 of that user. 

If the authentication client 216 determines that the 
attached PASSWORD does not match the corresponding PASSWORD 
in the LOCAL USER LOGIN TABLE of the local storage media 
226, then the authentication client 216 transmits a message 

10 to the user informing him or her that access to the 
requested service/resource is denied. Alternatively, if the 
authentication client 216 cannot locate the attached 
USERNAME in the LOCAL USER LOGIN TABLE, then the 
authentication client 216 submits a request to the 

15 authentication server 212 to authenticate the user of the 
client 102. 

In response to that request, the authentication server 
212 attempts to authenticate the user by verifying the 
USERNAME/ PASSWORD combination attached to the request 

20 against the user data stored in the local storage media 223 
included in the manager agent 202. If the authentication 
server 212 (1) locates the attached USERNAME in the LOCAL 
USER LOGIN TABLE of the local storage media 223, and (2) 
determines that the attached PASSWORD matches the 

25 corresponding PASSWORD in the LOCAL USER LOGIN TABLE, then 
the attached USERNAME/ PASSWORD combination is verified and 
the user of the client 102 is successfully authenticated. 
Accordingly, the authentication server 212 provides the 
authenticated user's ACCESS LEVEL to the distributed 
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application, which provides the requested service/resource 
to the user according to the ACCESS LEVEL of that user. 

If the authentication server 212 determines that the 
attached PASSWORD does not match the corresponding PASSWORD 
5 in the LOCAL USER LOGIN TABLE of the local storage media 
223, then the authentication server 212 transmits a message 
to the user informing him or her that access to the 
requested service/resource is denied. Alternatively, if the 
authentication server 212 cannot locate the attached 
10 USERNAME in the LOCAL USER LOGIN TABLE, then the 
^ authentication server 212 attempts to authenticate the user 

-by verifying the USERNAME/PASSWORD combination against the 
ffl user data stored in the main storage media 222 included in 

'■ZJ the manager agent 202- If the authentication server 212 (1) 

;P 15 locates the attached USERNAME in the MAIN USER LOGIN TABLE 

I. of the main storage media 222, and (2) determines that the 

:S attached PASSWORD matches the corresponding PASSWORD in the 

Q MAIN USER LOGIN TABLE, then the attached USERNAME/PASSWORD 

jp^ combination is verified and the user of the client 102 is 

^ 20 successfully authenticated. Accordingly, the authentication 

server 212 provides the authenticated user's ACCESS LEVEL to 
the distributed application, which provides the requested 
service/resource to the user according to the ACCESS LEVEL 
of that user. 

25 If the authentication server 212 either cannot locate 

the attached USERNAME in the MAIN USER LOGIN TABLE of the 
main storage media 222, or determines that the attached 
PASSWORD does not match the corresponding PASSWORD in the 
MAIN USER LOGIN TABLE, then the authentication server 212 

30 cannot successfully authenticate that user. Accordingly, 
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the authentication server 212 transmits a message to the 
client 102 indicating that access to the reguested 
service/resources is denied, thereby terminating the current 
session between the client 102 and the server 108. 
5 As mentioned above, the SESSION TIMEOUT TABLE included 

in the local storage media 223 tracks LOGIN TIMEOUT VALUES 
for all active users of clients submitting reguests for 
services/resources provided by the distributed application 
executing on the server 108. Further, each LOGIN TIMEOUT 
10 VALUE indicates the maximum allowable amount of time between 
^ successive user activities; i.e., the maximum allowable 

^"idle" time for that user. Accordingly, the authentication 
H server 212 includes a timer (not shown) for determining 

Zj whether maximum allowable idle times corresponding to users 

:=P 15 listed in the SESSION TIMEOUT TABLE have been exceeded. 

IS Similarly, each authentication client 214,' 216, 218, 

S and 220 includes a timer (not shown) for determining whether 

Q the maximum allowable idle time, as indicated by the LOGIN 

«3 S 

r. 

Q TIMEOUT VALUES stored in the respective local storage media 

■*=^ 20 224, 226, 228, and 230, has been exceeded for each active 

user listed in the respective LOCAL USER LOGIN TABLES. 

If the authentication server 212 determines that the 
maximum allowable idle time, as indicated by the user' s 
LOGIN TIMEOUT VALUE stored in the SESSION TIMEOUT TABLE, has 
25 been exceeded, then that user is no longer considered an 
active user and the authentication server 212 re-sets the 
ACCESS LEVEL in the SESSION TIMEOUT TABLE for that 
previously active, authenticated user to the default value, 
ACCESS DENIED. 
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Accordingly, if the authentication server 212 
subsequently attempts to authenticate the user by verifying 
the user authentication information against the user data 
listed in the LOCAL USER LOGIN TABLE of the local storage 
5 media 223 or the MAIN USER LOGIN TABLE of the main storage 
media 222, and determines from the SESSION TIMEOUT TABLE 
that the ACCESS LEVEL for that user is set to the default 
value, then the authentication server 212 removes the user 
authentication data for that user from the LOCAL USER LOGIN 
10 TABLE and the SESSION TIMEOUT TABLE of the local storage 
^ media 223 to terminate the current session, and the server 

jO 108 transmits a message to the client prompting the user to 

log-in by entering valid user authentication information, 
r^l thereby starting a new session. It should be noted that the 

£, 15 SESSION TIMEOUT TABLE may alternatively be implemented as 

fields in the LOCAL USER LOGIN TABLE of the local storage 
Q media 223. 

□ If any authentication client 214, 216, 218, or 220 

Ir. determines that the maximum allowable idle time, as 

O 20 indicated by the user's LOGIN TIMEOUT VALUE stored in the 

LOCAL USER LOGIN TABLES of the local storage media 224, 226, 
228, and 230, has been exceeded, then the authentication 
client 214, 216, 218, or 220 immediately removes the 
authentication information for that user from its respective 
25 LOCAL USER LOGIN TABLE. Accordingly, upon receiving a 
subsequent request for services/resources from the user, the 
authentication client 214, 216, 218, or 220 submits a 
request to the authentication server 212 to authenticate the 
user . 
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Whenever any authentication client 214, 216, 218, and 
220 processes a user activity, then that authentication 
client re-starts its determination of whether the maximum 
allowable idle time, as indicated by that user's LOGIN 
5 TIMEOUT VALUE, has been exceeded. Further, the 

authentication client transmits a message to the 
authentication server 212 notifying the authentication 
server 212 that the user activity has occurred. As a 
result, the authentication server 212 re-starts its 

10 determination of whether the maximum allowable idle time for 
that user has been exceeded. In this way, time-out" 
determinations performed by the authentication clients 214, 
216, 218, and 220 are synchronized with the time-out 
determinations performed by the authentication server 212. 

15 In a preferred embodiment, each authentication client 

214, 216, 218, and 220 transmits one notification message to 
the authentication server 212 for each user that is active 
during the preceding 60 seconds. Further, in order to avoid 
potential race conditions between the time-out 

20 determinations performed by the authentication server 212 
and the authentication clients 214, 216, 218, and 220, the 
authentication clients 214, 216, 218, and 220 adjust the 
LOGIN TIMEOUT VALUES listed in the LOCAL USER LOGIN TABLES 
to be approximately 1 minute less than the corresponding 

2 5 LOGIN TIMEOUT VALUES listed in the SESSION TIMEOUT TABLE. 
As a result, users' maximum allowable idle times will be 
exceeded at the authentication clients 214, 216, 218, and 
220 about 1 minute before they are exceeded at the 
authentication server 212, thereby ensuring that all final 

30 time-out determinations are made by the authentication 
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.server 212 using the SESSION TIMEOUT TABLE. It should be 
understood that the 1 minute time may be varied recognizing 
the objective that race conditions be eliminated. 

A method of authenticating a user submitting a service 
5 request from a client to a server executing a distributed 
application on a plurality of data processing agents is 
illustrated by reference to Fig. 3. As depicted in step 
302, a first user request is received at a service agent for 
a service/resource provided by the distributed application 

10 executing on the service agent. Next, the service agent 
submits, as depicted in step 304, a request to the manager 
agent to authenticate the user. As depicted in step 306, 
the manager agent receives the authentication request and 
attempts to authenticate the user. Next, a decision is 

15 made, as depicted in step 308, as to whether the user is 
successfully authenticated. If so, then the manager agent 
retrieves, as depicted in step 310, valid authentication 
information for that user and transmits, as depicted in step 
312, that information to the service agent. Otherwise, the 

20 server transmits, as depicted in step 314, a message to the 
client indicating that access to " the requested 
service/resource is denied. As depicted in step 316, the 
service agent receives and stores the valid authentication 
information. Next, the distributed application executing on 

25 the service agent provides, as depicted in step 318, the 
requested service/resource to the user. As depicted in step 
320, a second user request is received at the same service 
agent. Next, the service agent attempts, as depicted in 
step 322, to authenticate the user using the stored user 

30 authentication information. As depicted in step 324, a 
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decision is made as to whether authentication information 
attached to the second user request matches the stored user 
authentication information. If so, then the distributed 
application executing on the service agent provides, as 
5 depicted in step 326, the requested service/resource to the 
user. Otherwise, the server transmits, as depicted in step 
328, a message to the client indicating that access to the 
requested service/resource is denied. 

A method of restricting the amount of time that a user 
10 submitting requests from a client can remain idle before 
^ requiring that user to be re-authenticated is illustrated by 

Jfl reference to Fig. 4. As depicted in step 402, a first user 

request is received at a service agent for a 
service/resource provided by the distributed application 
==p 15 executing on the service agent. Next, the service agent 

3' submits, as depicted in step 404, a request to a manager 

^ agent to authenticate the user. As depicted in step 406, 

□ the manager agent receives the authentication request and 

attempts to authenticate the user. Next, a decision is 
Q 20 made, as depicted in step 408, as to whether the user is 

successfully authenticated. If so, then the manager agent 
retrieves, as depicted in step 410, valid user 
authentication information; stores, as depicted in step 412, 
a predetermined time-out value for that user; and transmits, 
25 as depicted in step 414, the authentication information and 
the time-out value to the service agent. Otherwise, the 
server transmits, as depicted in step 416, a message to the 
client indicating that access to the requested 
service/resource is denied. As depicted in step 418, the 
30 service agent receives and stores the valid user 
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authentication information and the time-out value. Next, 
the distributed application executing on the service agent 
provides, as depicted in step 420, the requested 
service/resource to the user. As depicted in step 422, a 
5 second user request is received at the same service agent. 
Next, a decision is made, as depicted in step 424, as to 
whether the authentication information for that user has 
been removed from the service agent's storage media because 
the corresponding time-out value has been exceeded. If so, 
10 then the user is required, as depicted in step 426, to be 
^ re-authenticated by the manager agent. Otherwise, the 

'"O service agent authenticates, as depicted in step 428, the 

user using the stored user authentication information. 
1^! Having described one illustrative embodiment, other 

=^ 15 alternative embodiments or variations may be made. For 

~ example, it was described that a client submits user 

requests to a server by way of a network for accessing 
Q services/resources provided by a distributed application 

™ executing on a plurality of agents included in that same 

D 20 server. However, the plurality of agents executing the 

distributed application may alternatively be included in 
.respective servers operatively connected to the network. In 
this alternative embodiment, one server may include a 
manager agent, and the remaining servers may include 
25 respective service agents. Further, the server including 
the manager agent may further include storage media for 
storing the MAIN USER LOGIN TABLE and the SESSION TIMEOUT 
TABLE, and the servers including the respective service 
agents may further include storage media for storing LOCAL 
30 USER LOGIN TABLES. In this way, the disclosed systems and 
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techniques for authenticating users can be implemented in a 
fully distributed computing environment. 

Those of ordinary skill in the art will appreciate that 
computer programs for performing the presently described 
5 functions can be delivered to the server 108 in many forms 
including, but not limited to: (a) information permanently 
stored on non-writable storage media (e.g., read-only memory 
devices within a computer such as ROM or CD-ROM disks 
readable by a computer I/O attachment; (b) information 
10 alterably stored on writable storage media (e.g., floppy 
^ disks, tapes, read/write optical media and hard drives) ; or, 

(c) information conveyed to a computer through a 
fQ communication media, for example, using base-band signaling 

'^l or broadband signaling techniques, such as over computer or 

:=p 15 telephone networks via a modem. 

In addition, while in this illustrative embodiment the 

y functions are illustrated as being software-driven and 

y s 

Q executable out of memories by processors in the server 108, 

12 the presently described functions may alternatively be 

Q 20 embodied in part or in whole using hardware components such 

as custom or semi-custom integrated circuits including 
Application Specific Integrated Circuits (ASICs), 
Programmable Logic Arrays (PLAs), state machines, 
controllers or other hardware components or devices, or a 
25 combination of hardware components and software. 

Those of ordinary skill in the art should further 
appreciate that variations to and modification of the above- 
described systems and techniques for authenticating users 
submitting requests from clients to servers may be made 
30 without departing from the inventive concepts disclosed 
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herein. Accordingly, the present invention should be viewed 
as limited solely by the scope and spirit of the appended 
claims . 
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